Which mobile device is locking AD

RoadstoneUK used Ask the Experts™
Hi all,

Just a curious question around Exchange 2016 / AD account lockouts. I have a user who has a couple of mobile devices (two iPad's, a Surface tablet and an iPhone). On each client, he runs a couple different email clients which connect to his Exchange 2016 mailbox, including the native Mail app, Outlook for iOS and Spark (I know, but it's a case that hes trying to find the client that works best for him. On top of that, he is the owner of the business). Since changing his password, his account keeps locking out. Apparently he's update the password on every device and in every app, but still it keeps locking out.

Looking at the AD event logs, I can see that it is being locked via calls to the Exchange server. What I was wondering is if there was a way to identify the actual device or app that might be causing the account to lockout. From what I can tell, the AD logging level shows the calls from Exchange, but not much else. If I use Get-ActiveSyncDeviceStatistics, it shows that the devices all had a successful sync. But I'm guessing that would not show issues if an app had the incorrect password?

Thoughts? Thanks,

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Engineer
You might get somewhere with Get-MobileDeviceStatistics


Probably what you are going to have to do is figure this out by process of elimination.  Gather ALL of the devices, turn them all OFF but one.  Go through all of the apps, make sure send/receive all work on all apps, turn the device off and move to the next one.

No, you can't tell what app is making the call. Exchange doesn't care.

You might use Fiddler to speed up the process.


With this you should be able to see what traffic is causing the lockout.
Top Expert 2015

I am not sure if this will show the name of the mobile devices but you can try https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

How many domain controllers are there in the company?  If more than one then you will have to check this on each one.

Here is another tool that may help you narrow down the device: https://www.microsoft.com/en-ca/download/details.aspx?id=18465
Two thoughts:
1. If the firewall (or internal AP) is capable of doing any type of reporting, this may help nail down which device (short of doing what Scott C says regarding powering them off and testing.
2. You may not be aware of all devices / accounts ... not because the owner is intentionally hiding something but because he is accidentally forgetting something.

Given #2 as a possibility and from experience, I'm guessing it doesn't take too long for the account to get locked. I would pick a time convenient for him, power off all known devices with accounts on them and simply watch ... this will either confirm or rule out #2. If #2 is the case, you will chase your tail with everything else ...
Refer to this earlier discussed thread i.e. Exchange user intermittently locked out: https://www.experts-exchange.com/questions/29097433/Exchange-user-intermittently-locked-out.html

Usually this happens due to phone, workstation, tablet or home system connected to Exchange. Most likely, a phone, tablet, etc. is trying to authenticate with the old credentials. Check credentials manager on PC to see if there is any cached credentials

For future prospective, you can also go through this article explaining some possible causes of account lockouts in AD and how to resolve them. Also, here is another informative post which may help you to find out the source of account lockouts: https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

How to Troubleshoot Account Lockout in Active Directory:
Scott CSenior Engineer
Solution provided by process of elimination.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial